Welcome Guest, Not a member yet? Register   Sign In
How can I be as security tight as possible?
#1

[eluser]markanderson993[/eluser]
Hello there CodeIgniter experts. I am a paranoid man and I would love your input on how I could make my <input ... /> areas as secure as possible. I am currently using htmlentities and trim on all fields but I don't feel that is enough if it came to php/mysql injection.

I feel I am missing something :/ If you have any suggestions please post here. Thank you!

- Pianoman993
#2

[eluser]TheFuzzy0ne[/eluser]
You just need to escape your data before inserting it into the database, using $this->db->escape(). If you're using the Active Record class, this is done automatically for you, unless you've specifically told the insert/update function not to.
#3

[eluser]markanderson993[/eluser]
Great thanks, that helps me out a bunch.
#4

[eluser]pistolPete[/eluser]
Restrict the permitted_uri_chars / leave the default:
Code:
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_-';

Use the Input class instead of $_POST: User guide

Use the global_xss_filtering :
Code:
$config['global_xss_filtering'] = TRUE;
#5

[eluser]TheFuzzy0ne[/eluser]
premitted_uri_characters only covers characters that come via GET and not POST. I know this because I use POST to circumvent these restrictions.

XSS filtering, only covers cross site scripting attacks, not SQL injection attacks.

I would definitely recommend that you use $this->input->post(). If you want to XSS filter a specific field, you can pass TRUE as the second parameter. I wouldn't recommend global XSS filtering unless you absolutely need it, as it comes with quite a bit of overhead.

EDIT: Oops, didn't spot the "php" part in the original post.
#6

[eluser]darkhouse[/eluser]
I generally do all my XSS filtering in the rules of my form validation. That way I can apply it only to the ones that absolutely need it, and do other things in other fields to make sure they don't allow XSS even without using the XSS filter. For example, if you're accepting any field that should be a number, just use the rule 'numeric', because if it is a number, it can't have any XSS in it, and you didn't need to use the beefy XSS filter to prove that. 'valid_email' is another one. For things like postal/zip codes and things you know a certain format for, you can (and should) write a callback to make sure they're in that format, which would alleviate the need for XSS as well.
#7

[eluser]TheFuzzy0ne[/eluser]
Nice tips. Smile
#8

[eluser]markanderson993[/eluser]
This is extremely helpful. Thanks everyone for your useful advice. Smile




Theme © iAndrew 2016 - Forum software by © MyBB